MacOS Insecure Swap File

It turns out that even with SIP enabled a regular root user can write to the swapfile under /private/var/vm/swapfile0 on MacOS.


MD5 | 9be1c54a36a8598d7f45bd9dfd59fc35

 MacOS uses an insecure swap file 

CVE-2017-2494


This came out of a discussion with Jann Horn this afternoon; credit is his.

It turns out that even with SIP enabled a regular root user can write to the swapfile under /private/var/vm/swapfile0.

That file is created on demand when the system starts to swap; if you can't see it increase system load.

Then as root (with SIP enabled) do:

cat /dev/urandom > /private/var/vm/swapfile0

We observed multiple interesting-looking kernel panics including in the swapfile decompression code and also the intel GPU driver doing something with GPU pages.



Found by: ianbeer


Related Posts

Comments